Effortlessly Secure Remote Database Access with AWS Session Manager

Overview

In cloud computing, keeping your data safe is super important. When you’re trying to control who can access Amazon RDS instances in private subnets, it can be a bit tricky. But in this blog post, we will show you a safe way to do it using AWS Systems Manager Session Manager. We’ll walk you through how to connect to your Amazon RDS instances safely and easily, all while ensuring your data and computer stay protected.

We’ll start by talking about the plan, what you need to get started, and the steps to follow. It will make connecting to your Amazon RDS instances feel like a breeze, and you won’t have to worry about your data and stuff getting into the wrong hands.

Introduction

AWS Session Manager is a fully managed AWS Systems Manager capability that enables secure and auditable remote management of instances, including your database servers. It eliminates the need for SSH keys and manual configuration while providing fine-grained access control and session logging.

Amazon RDS, offered by AWS, is a fully managed and scalable database service that simplifies the setup and maintenance of various relational databases.

It’s a top choice for hosting relational databases in the cloud, making it essential for organizations needing a dependable and cost-effective database solution.

Architecture diagram

With AWS Session Manager, you can enjoy the security advantages of a bastion host while operating within a private subnet—eliminating the need to open any ports—enabling direct connections to Amazon RDS from your workstation.

Furthermore, this solution eliminates the need for the cumbersome management of access to SSH/PEM keys, streamlining the process. Instead, AWS Identity and Access Management (IAM) can efficiently manage all access.

Prerequisites

• AWS IAM Role with Policy “AmazonSSMManagedInstanceCore”
• Install the SSM agent in your Jump Server.
• AWS Session manager Plugin installed on your workstation.
• A GUI database toolset for this scenario, we will use MySQL Workbench.
• AWS CLI in the local System. (Use this link to install in your OS)

Step-by-Step Guide

Step 1:  Create an AWS IAM role for the System manager

• Create an AWS IAM role for the AWS Session Manager to work.

• In the “Trusted entity type” section, select “AWS service.”
• Choose “EC2” as the service or use case.
• Click “Next.”
• In the “Add permission” tab, select the “AmazonSSMManagedInstanceCore” policy.
• Click “Next.”
• Provide a name for the role.
• Click “Create Role.”

Step 2:  AWS Session Manager plugin Installation

In this scenario, we use a Windows workstation as a local machine to install this plugin on a Windows station. If you have another OS, use this link for installation.

• Use this URL to Download the exe file from AWS for the Session Manager plugin.

• Now Click on the Downloaded exe file for installation and install it.

Step 3:  Launch the Jump Server

• Go to the Amazon EC2 dashboard in the AWS console.
• Click on Launch instance.
• Give the name to the Jump Server and Select the AMI for the Jump server.

• Select the Instance type and choose the existing key file or create a new one.

• In Network Setting, select the Amazon VPC you want to specify any public subnet, and in Inbound rules, you can leave this part empty.
• Configure the Storage size as you need.
• In the advanced setting, select the AWS IAM role we created earlier.

• Click on Launch Instance.

Step 4:  SSM agent Installation

To install the AWS Systems Manager Agent (SSM Agent) on your Amazon Linux 2023 machine, you can follow these steps (In our Scenario, we are using Amazon Linux 2023 as a jump server). If you have another OS, you can use this link to find steps to install the SSM agent :

• Connect to your Jump Server using AWS Session Manager or other methods.
• Go to System Manager and Select AWS Session Manager in the left panel.
• In AWS Session Manager, click on start session.
• Select your target instance here. It is a Jump server and click on start session.
• You will redirected to the web-based terminal of your instance.

• Check if the SSM agent is pre-installed or not. If not, follow the steps to install it. If it is up and running, then skip the installation part

• Copy the command to run it on the instance to install it.

• Run the below command to verify that the SSM agent is running.

You will get a similar output like this:

• If you get an output where the service is inactive:

To activate the agent, run the below command:

Step 5:  Launch Amazon RDS in private Subnet

• In the Amazon RDS dashboard on AWS Console, click on Create Database
• Select the engine option according to your needs. We are using MySQL for this demo.
• Select Engine Version, we are using the latest version.
• We are using a free tier and single DB instance for the demo. You can choose any of the options as your requirement.
• Give Amazon RDS a username and password.
• In the Connectivity tab, select Amazon VPC and choose a private Subnet group.
• Select no in the Public access option.
• In Additional configuration, give the Initial database name.
• Now, Click on the Create Database button.
• Amazon RDS security Group allows inbound traffic on port 3306 from Jump server Security Group.

Step 6:  Connecting to Amazon RDS

• Open the Command prompt on a Windows Workstation.
• Configure your AWS IAM profile by using the below command.

• Now put the Access key, Secret Key, and Region on the filled.
• Run the below command to use Amazon RDS locally.

• You will see output like this on the Command prompt.

• Now open the MySQL workbench application and create a new connection.

• Here, we put the local host IP in Hostname and provided the port number where Amazon RDS is configured locally and username.
• Now click on the OK button, and it will ask for the password. Fill in the password, and your connection is successful.

Conclusion

In conclusion, this blog has unveiled a secure and efficient approach to accessing Amazon RDS instances in private subnets. By harnessing the power of AWS Systems Manager Session Manager, you can maintain the highest levels of data security while enabling seamless connectivity.

SSH/PEM key management has become a thing of the past, as all access is conveniently handled through AWS Identity and Access Management (IAM).

Following the steps outlined in this guide, you can confidently strike the perfect balance between data protection and accessibility, ensuring that your Amazon RDS instances remain secure while enabling efficient remote management and development.

Drop a query if you have any questions regarding AWS Systems Manager Session Manager and we will get back to you quickly.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.